In addition to implementing procedures designed to maintain the integrity of the company’s data networks, the Cyber Program should incorporate data retention policies that dictate the manner in which and the extent to which the company’s data should be retained. Generally, sensitive data should be retained only so long as is legally necessary, or for so long as it serves a legitimate business purpose, whichever is longer. Procedures must be adopted to ensure that such data is disposed of safely. Importantly, these procedures must include legal hold policies that would ensure the company retains all data that is or may be the subject of pending or threatened legal or regulatory action. Failing to implement legal hold policies could lead to the imposition of civil and possibly criminal sanctions. Accordingly, it is critical that the designated board committee work with counsel to oversee the implementation of legal hold policies and adopt mechanisms that will ensure such policies are strictly adhered to.
An effective Cyber Program should also establish mechanisms for educating employees on how they can minimize a company’s overall exposure to cyber security threats. Many breaches have resulted from the mishandling of data or communications networks by employees. While it is impossible to hedge against every risk, companies should equip their employees with the tools they will need to help minimize a company’s exposure. One method of doing so is to develop employee cybersecurity programs that educate employees on the threats posed by cyber-attacks and train employees to follow cybersecurity best practices. Such practices include adequately securing mobile devices, avoiding public Wi-Fi-hotspots, identifying, and deleting phishing emails, utilizing adequate passwords, and changing their passwords regularly. It is especially important that training programs be updated regularly to address evolving cybersecurity risks. Controls on employee access points, such as multi-factor authentication, should also be implemented to ensure that only authorized employees have access to the network.
The Cyber Program should also develop contractual requirements for third-party service providers to ensure those entities have implemented adequate internal cybersecurity practices before the company does business with them. Companies should also conduct audits to periodically assess their cybersecurity protocols and identify issues that may arise after contractual relationships have already been established with third-party service providers. Setting minimum standard thresholds for third-party service providers and maintaining regular oversight over those relationships is particularly important where service providers have access to company data. Under such circumstances, contracts with third-party service providers should specify the duties and responsibilities that will flow to the service providers in connection with handling, storing, protecting, and destroying company data.
It is also important for CISOs and boards to consider how their companies will respond to cybersecurity attacks. Companies should develop, maintain, and update a post-incident response plan outlining the procedures to be followed by the company once a cyber-attack has been discovered. The board should ensure that an emergency response team, composed of members of the designated board committee, legal counsel, IT personnel, compliance officers, and communications personnel, is in place to respond quickly to breaches once they have occurred. Each member of the response team should be familiar with their roles and responsibilities, from securing compromised IT assets to notifying the appropriate authorities and affected consumers. These measures may mitigate any potential liability that results in the wake of a breach.
Importantly, it is rarely ever sufficient to simply establish a Cyber Program and assume that it will effectively protect a company from cybersecurity threats. The designated board committee should work closely with the CISO to ensure that the Cyber Program is periodically tested to evaluate its effectiveness. A “penetration test,” designed to simulate a real-world cyber-attack, can be conducted by an in-house team, or can be outsourced to third-party professionals. Any vulnerability revealed by the test should be brought to the attention of the entire board and should be addressed as expeditiously as possible.
Implementing important corporate governance mechanisms aimed at securing the company’s data management and IT systems will help the board mitigate cyber risk and potential liability. Importantly, maintaining oversight over a robust cybersecurity program can help achieve a culture of compliance in light of new and evolving regulatory requirements. The New York Department of Financial Services (“NYDFS”) has taken the lead on establishing new cybersecurity standards with which insurance companies and financial institutions must comply. All insurance company boards should be aware of the NYDFS regulation, regardless of whether they operate in New York, because those regulations are indicative of a national movement as regulators on both a state and federal levels are taking steps to impose new cybersecurity requirements on insurers and financial institutions. Perhaps more importantly still, the Cybersecurity Working Group of the National Association of Insurance Commissioners (“NAIC”) recently adopted a draft of its Insurance Data Security Model Law, which is expected to be rolled out across the states for adoption.
Cybersecurity will continue to be a major issue affecting all companies, but it is a particular concern for insurers that collect and store massive amounts of sensitive policyholder data. Insurance companies may be exposed to legal liability if they fail to implement and oversee cybersecurity protocols in their respective organizations. This could even result in board member liability under certain circumstances. Regulators will continue to monitor companies and may take action if companies do not set up appropriate cybersecurity safeguards. Effective corporate governance is a key to ensuring compliance with these standards, to satisfy the board’s duty of care, and to avoiding the many negative consequences of a data breach.